Sunday, 11 March 2012

Session Sharing between Java Web Applications

We had been asked to share sessions between different war files several times on different projects. This requests vary from just asking our opinion to trying to persuade us to do it by citing vendor documentations.

Those who had watched Star Wars before, would probably remember Darth Sidious's famous saying:

Dark side of the force is the pathway to many abilities, some considered to be... unnatural.

However, only Siths tend to use the dark side. Jedis instead follow the Jedi code. Back to our topic, if we would need a code for the light side on the Java world, that should be the Java Specs by the JCP. Although most vendor implementations would let you share sessions by their custom settings.

Sharing sessions between web applications will override the following JSRs, thus make your application not compatible with Java Standarts.

Servlet Speciation - "SRV.7.3 Session Scope HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container."

Servlet Speciation - "SRV.9.2 Relationship to ServletContext The servlet container must enforce a one to one correspondence between a web application and a ServletContext. A ServletContext object provides a servlet with its view of the application.In order to share data across web applications you'll need to implement your own scheme. If it's a small amount of data, you could store it in a cookie that either web application could retrieve. If it's a large amount of data, you could store it in a database, then set a token in a cookie to identify the client and retrieve the data."

JavaEE Specification - Removal of class loader barriers to share session data will impede each component to define its security requirements through a deployment descriptor. Components will be accessible from each other disregarding deployment descriptors (EE3.6 EE3.3).

Sharing sessions between web application would violate those items both in Servlet and JavaEE specifications. However, there are different ways to pass data between web applications without breaking the rules.

First and easiest solution would be cookies. It is possible to store simple and small data on the client side using cookies. The session cookies can be encrypted and can store small amount of textual data. Session cookies can be used to store non-sensitive session information, they can be share between a group of applications using context paths.

If the data needed to pass is more complex and sensitive there are third party solutions from different vendors or MemCached. These technologies enables session sharing and management across different web applications, domains and heterogeneous application servers; They are typically distributed for scalability, availability, reliability and performance to in-memory session management and storage; They support all the mainstream application servers such as Oracle WebLogic Server, IBM WebSphere, Tomcat., Oracle WebLogic Portal, etc.

Whatever solution you choose to implement, always try to be compatible with Java specs although some vendors would give you opportunity not to do so. Keep in mind coupling with a vendor by breaking the rules would lead you to a different path which might considered to be... unnatural.